What exactly do you get access to?
The honest answer, per cloud. The first scan uses a read-only role you deploy from a published template. Every action below is a describe, list, or get — this page renders the actual list, so it can never drift from what we deploy.
AWS — read-only IAM role
81 actions · published as CloudFormation & TerraformYou deploy a role that trusts our account under an external id we generate per connection (prevents the confused-deputy problem). We hold only the role ARN and external id and re-assume it read-only on each sync — no long-lived credentials are stored.
81 read-only actions, parsed from the exact CloudFormation template we publish — this page is drift-guarded by tests.
Not ready to grant a role? Bring one month of CSV bill data — the Day-0 audit runs without credentials, inside the private beta.
Cost Explorer & billing
13 actionsRead spend, tags, commitment coverage, and AWS's own purchase recommendations — the numbers behind every figure.
ce:GetCostAndUsagece:GetCostForecastce:GetReservationCoveragece:GetReservationUtilizationce:GetSavingsPlansCoveragece:GetSavingsPlansUtilizationce:GetSavingsPlansUtilizationDetailsce:GetReservationPurchaseRecommendationce:GetSavingsPlansPurchaseRecommendationce:GetTagsce:GetDimensionValuesce:DescribeCostCategoryDefinitionce:ListCostCategoryDefinitionsUtilization metrics
3 actionsRead CloudWatch CPU (avg/p95/max) so rightsizing evidence is measured, not guessed.
cloudwatch:GetMetricDatacloudwatch:GetMetricStatisticscloudwatch:ListMetricsCompute & storage inventory
11 actionsDescribe EC2 instances, EBS volumes, Elastic IPs, NAT gateways, and snapshots for the idle-resource sweep and topology.
ec2:DescribeReservedInstancesec2:DescribeInstancesec2:DescribeInstanceTypesec2:DescribeVolumesec2:DescribeAddressesec2:DescribeNatGatewaysec2:DescribeSnapshotsautoscaling:DescribeAutoScalingGroupslambda:ListFunctionslambda:ListProvisionedConcurrencyConfigsapplication-autoscaling:DescribeScalableTargetsDatabase inventory
19 actionsDescribe RDS, ElastiCache, OpenSearch, Redshift, and DynamoDB for rightsizing and idle detection.
rds:DescribeDBInstancesrds:DescribeDBClustersrds:DescribeReservedDBInstancesdynamodb:ListTablesdynamodb:DescribeTabledynamodb:DescribeTimeToLivedynamodb:ListTagsOfResourceelasticache:DescribeCacheClusterselasticache:DescribeReplicationGroupselasticache:DescribeReservedCacheNodeselasticache:ListTagsForResourcees:ListDomainNameses:DescribeDomaines:DescribeDomainses:DescribeElasticsearchDomaines:DescribeElasticsearchDomainses:ListTagsredshift:DescribeClustersredshift:DescribeReservedNodesObject-storage configuration
7 actionsList buckets and read their lifecycle/tiering configuration (config only — never object contents).
s3:ListAllMyBucketss3:GetBucketLocations3:GetBucketTaggings3:GetBucketVersionings3:GetLifecycleConfigurations3:GetBucketIntelligentTieringConfigurations3:GetInventoryConfigurationOrganizations hierarchy
8 actionsRead the account/OU tree so multi-account spend rolls up. Degrades gracefully on member accounts.
organizations:DescribeOrganizationorganizations:ListRootsorganizations:ListOrganizationalUnitsForParentorganizations:ListAccountsForParentorganizations:ListAccountsorganizations:ListParentsorganizations:DescribeAccountorganizations:DescribeOrganizationalUnitAWS-native optimizer findings
16 actionsImport AWS's own recommendations (Cost Optimization Hub, Compute Optimizer, Trusted Advisor) — read-only, only where you've opted in.
cost-optimization-hub:ListRecommendationscost-optimization-hub:GetRecommendationcost-optimization-hub:ListEnrollmentStatusescompute-optimizer:GetEnrollmentStatuscompute-optimizer:GetRecommendationSummariescompute-optimizer:GetEC2InstanceRecommendationscompute-optimizer:GetAutoScalingGroupRecommendationscompute-optimizer:GetEBSVolumeRecommendationscompute-optimizer:GetLambdaFunctionRecommendationscompute-optimizer:GetECSServiceRecommendationscompute-optimizer:GetRDSDatabaseRecommendationstrustedadvisor:ListRecommendationstrustedadvisor:GetRecommendationsupport:DescribeTrustedAdvisorCheckssupport:DescribeTrustedAdvisorCheckResultsupport:DescribeTrustedAdvisorCheckSummariesBroad resource discovery
3 actionsOne tagging-API sweep plus CloudFront so the infrastructure map covers more of the estate without per-resource describes.
cloudfront:ListDistributionscloudfront:GetDistributiontag:GetResourcesIdentity check
1 actionsConfirm which account the role landed in (sts:GetCallerIdentity) — no other identity access.
sts:GetCallerIdentityOptional: Cost & Usage Report (CUR) access
Attached only if you point us at a CUR S3 bucket — it gives line-item-grade billing. Without it we use the Cost Explorer API above.
This is the only policy that can write, and only inside the CUR bucket you designate: Athena writes its query results (scratch output) there to run. It never writes to any other resource, and it reads only your billing-export files — not application data.
s3:GetObjects3:GetObjectVersions3:ListBuckets3:GetBucketLocationathena:StartQueryExecutionathena:StopQueryExecutionathena:GetQueryExecutionathena:GetQueryResultsathena:GetWorkGroupglue:GetTableglue:GetTablesglue:GetDatabaseglue:GetDatabasesglue:GetPartitionglue:GetPartitionsglue:BatchGetPartitions3:PutObjects3:AbortMultipartUploads3:ListMultipartUploadPartsAzure — service principal, reader roles
You register an app (“CloudJaeger Cost Reader”) and assign it two built-in Azure roles. Neither can write.
Cost Management ReaderReads spend data via the Azure Cost Management query API.
ReaderLists resources and reads utilization metrics for inventory and rightsizing. If Cost Management is unavailable, we still connect for inventory with Reader alone.
GCP — service account, viewer roles
Cost comes from your BigQuery billing export, not the Billing API. The service account gets read-only viewer roles and read-only OAuth scopes.
roles/billing.viewerConfirm the billing account and locate the billing export (metadata only).
roles/bigquery.dataViewerRead the billing-export dataset — the cost line items themselves.
roles/bigquery.jobUserRun the read-only query that pulls the export.
roles/compute.viewerList Compute Engine resources for inventory and idle detection.
roles/monitoring.viewerRead utilization metrics for rightsizing evidence.
OAuth scopes
https://www.googleapis.com/auth/cloud-billing.readonlyhttps://www.googleapis.com/auth/bigquery.readonlyWhat CloudJaeger never touches
- No write to your infrastructure — the read-only role describes, lists, and gets; it never creates, modifies, or deletes a resource. (The optional CUR add-on can write only Athena scratch into the CUR bucket you designate — see below.)
- No application data — no database rows, no message queues, no object contents. (The optional CUR add-on reads only your billing-export files.)
- No logs or secrets — no CloudTrail export, no Secrets Manager, no KMS key material.
- No agents or code — nothing runs inside your account; we assume a role and call read APIs.
- No standing credentials stored — for AWS we hold only the role ARN + external id and re-assume each sync.
Off-boarding & data lifecycle
Delete the role, service principal, or key any time — the next sync fails and the connection stops. That is full off-boarding, in your hands.
- Delete the role (or service principal / key) any time — the next sync fails and the connection flips to error. That is full off-boarding. Security posture →
- Data retention, export, and deletion are covered in the Data Processing Agreement. Data Processing Agreement →
- What we collect and why is in the Privacy Policy. Privacy Policy →
- Controls, audit trail, and sub-processors are on the Trust & Security center. Trust & Security →
Read-only first, deletable any second.
A founder reviews every request. Start with a read-only pilot and keep the findings report either way.
